diff options
Diffstat (limited to 'Linux-PAM/modules/pam_group/README')
-rw-r--r-- | Linux-PAM/modules/pam_group/README | 45 |
1 files changed, 0 insertions, 45 deletions
diff --git a/Linux-PAM/modules/pam_group/README b/Linux-PAM/modules/pam_group/README deleted file mode 100644 index 2e1e37a5..00000000 --- a/Linux-PAM/modules/pam_group/README +++ /dev/null @@ -1,45 +0,0 @@ -pam_group — PAM module for group access - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_group PAM module does not authenticate the user, but instead it grants -group memberships (in the credential setting phase of the authentication -module) to the user. Such memberships are based on the service they are -applying for. - -By default rules for group memberships are taken from config file /etc/security -/group.conf. - -This module's usefulness relies on the file-systems accessible to the user. The -point being that once granted the membership of a group, the user may attempt -to create a setgid binary with a restricted group ownership. Later, when the -user is not given membership to this group, they can recover group membership -with the precompiled binary. The reason that the file-systems that the user has -access to are so significant, is the fact that when a system is mounted nosuid -the user is unable to create or execute such a binary file. For this module to -provide any level of security, all file-systems that the user has write access -to should be mounted nosuid. - -The pam_group module fuctions in parallel with the /etc/group file. If the user -is granted any groups based on the behavior of this module, they are granted in -addition to those entries /etc/group (or equivalent). - -EXAMPLES - -These are some example lines which might be specified in /etc/security/ -group.conf. - -Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the -floppy (through membership of the floppy group) - -xsh;tty*&!ttyp*;us;Al0000-2400;floppy - -Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to -games (through membership of the floppy group) after work hours. - -xsh; tty* ;sword;!Wk0900-1800;games, sound -xsh; tty* ;*;Al0900-1800;floppy - - |